CVE-2024-49377: 
Python vulnerability analysis and mitigation

OctoPrint, a web interface for controlling consumer 3D printers, versions up to and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and standalone application key confirmation dialog. The vulnerability was discovered and disclosed by Jacopo Tediosi, with a CVE identifier of CVE-2024-49377. The issue affects the Jinja2 template system implementation, which lacks enforced automatic escaping (Vendor Advisory).

The vulnerability stems from improper configuration of OctoPrint's Jinja2 template system, which does not enforce automatic escaping. This can be exploited through specially crafted login links or by a malicious app triggering the application key workflow with crafted parameters. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network-based attack vector with required user interaction (NVD).

A successful exploit could allow attackers to retrieve or modify sensitive configuration settings, interrupt prints, or maliciously interact with the OctoPrint instance. The attack requires either convincing a victim to click on a specially crafted login link or having a malicious app redirect the victim to a specially crafted confirmation dialog (Vendor Advisory).

The vulnerability has been patched in version 1.10.3 through individual escaping of the detected locations. Additionally, version 1.11.0 will implement a global change to enforce automatic escaping throughout the templating system. For third-party plugins, there will be a transition period allowing opt-in to automatic escaping, with mandatory enforcement (unless explicitly opted out) coming in version 1.13.0 (Vendor Advisory).